Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
SSHDShield is a daemon that monitors your sshd log looking for signs of a brute force attack and reacts to them
Fetching latest commit…
Cannot retrieve the latest commit at this time.
|Type||Name||Latest commit message||Commit time|
|Failed to load latest commit information.|
SSHDShield https://github.com/wiz78/SSHDShield What is it? =========== SSHDShield is a daemon that monitors your sshd log looking for signs of a brute force attack. Upon detecting it, it will call a configurable command to ban the host. Bans will be removed after a configurable time span. Who did it? =========== Simone Tellini, <email@example.com> https://tellini.info/ Show your support ================= If you use this software in a production environment and/or you wish to show your support, you can get me something off one of the Amazon wish-lists of mine, located at http://www.amazon.co.uk/exec/obidos/registry/1K4OWZ581SIRE/ref%3Dwl%5Fs%5F3/026-2575462-0900418 or http://www.amazon.com/gp/registry/4HTWP4885GSB/102-7143304-5385735 Installation ============ "./configure; make install" should compile and install the sshdshield executable in your sbin directory. Usage ===== You need to pass the name of the config file to use on the command line. An example configuration file is shown below: ---8<---8<--- [General] ; log to monitor LogPath = /var/log/messages ; consider only the lines with this ident string SSHIdent = sshd [PasswordFailures] ; defaults: 3 failures per minute MaxAllowed = 3 Interval = 60 [Ban] ; ban time, in seconds BanTime = 7200 ; command to ban the host %h BanCmd = /sbin/iptables -A banned -s %h -j DROP ; command to remove the ban UnbanCmd = /sbin/iptables -D banned -s %h -j DROP [Strings] ; block hosts as soon as they try to authenticate as a non-existant user. This line ; contains a string to look for in the log to apply this rule InvalidUser = invalid user ; string used by your sshd daemon when a user enters a wrong password WrongPassword = failed password ; the word just before the host address in the logs HostPrefix = from ---8<---8<--- You need to restart sshdshield after changing the configuration.